Académique Documents
Professionnel Documents
Culture Documents
1X PORT AUTHENTICATION
WITH LDAP
March 2003
Version 1.0.0
Contents
NOMENCLATURE ..................................................................................................................................................................3
RELATED PUBLICATIONS...................................................................................................................................................3
TRADEMARKS ........................................................................................................................................................................3
802.1X PORT AUTHENTICATION BASICS........................................................................................................................4
LDAP ..........................................................................................................................................................................................5
Disclaimer
Foundry Networks, Inc. makes no claims or guarantees as to the accuracy of installing and supporting Interlink
Networks Secure.XS product. Refer to Interlink Networks for complete installation guidelines and product
information regarding Secure.XS components mentioned in this white paper.
Foundry Networks, Inc. makes no claims or guarantees as to the accuracy of installing and supporting
Meetinghouses AEGIS Windows and MAC OS clients. Refer to Meetinghouse Data Communications for complete
installation guidelines and product information regarding AEGIS 802.1X clients mentioned in this white paper.
Foundry Networks, Inc. makes no claims or guarantees as to the accuracy of installing and supporting OpenLDAP.
Refer to the OpenLDAP community at www.OpenLDAP.org for complete installation guidelines and product
information.
March 2003
Version 1.0.0
Related Publications
The following Foundry Networks documents supplement the information in this guide.
Foundry Security Guide - provides procedures for securing management access to Foundry devices and for
protecting against Denial of Service (DoS) attacks.
Foundry Enterprise Configuration and Management Guide - provides configuration information for enterprise
routing protocols including IP, RIP, IP multicast, OSPF, BGP4, VRRP and VRRPE.
Foundry Switch and Router Command Line Interface Reference - provides a list and syntax information for all the
Trademarks
Microsoft Windows 2000 and Microsoft Windows XP, are trademarks or registered trademarks of Microsoft
Corporation.
Secure.XS is a trademark or registered trademark of Interlink Networks.
AEGIS Client is a trademark or registered trademark of Meetinghouse Data Communications.
Foundry Networks, BigIron, EdgeIron, FastIron, NetIron, ServerIron, and the Iron family of marks are
trademarks or registered trademarks of Foundry Networks, Inc. in the United States and other countries.
All other trademarks are the properties of their respective owners.
March 2003
Version 1.0.0
There are three components that are used to create an authentication mechanism based on 802.1X standards:
Client/Supplicant, Authenticator, Authentication Server.
Client/Supplicant
The client, or supplicant, is the device that needs authenticating to the network.
It supplies the username and password information to the Authenticator. The
client uses the Extensible Authentication Protocol (EAP) to talk to the
Authenticator.
Authenticator
Authentication Server
LDAP
Lightweight Directory Access Protocol (LDAP) is a directory service that is based on the X.500 Directory Services
model. LDAP is an information repository as well as a protocol for querying and manipulating the data in an
LDAP directory. The LDAP Directory is a specialized data repository that is tuned to provide fast responses to
queries: reading, browsing, and searching. It is made up of attribute-based and descriptive information that
supports complex searches and filtering activities. Directories are also designed to support large volumes of
complex updates and complex replication schemes to support local and global architectures.
OpenLDAP is an open-source LDAP application that is developed by a community of users. OpenLDAP is
considered by many IT professionals as a robust, commercial-grade LDAP solution and is used by enterprise
directory services. It uses schemas to allow for flexible configuration of directory information that can house
many different types of corporate and personal information allowing businesses to centralize and search
directory trees.
NOTE: For more information on OpenLDAP, please refer to the following site: www.openldap.org
March 2003
Version 1.0.0
Installing OpenLDAP
For installations that will be using Foundrys 802.1X Port Authentication with an LDAP directory for authentication,
an existing production LDAP directory with the necessary user accounts will most likely be in place. This section
describes the required steps for creating an OpenLDAP server for our sample implementation and can be skipped
if a production LDAP directory exists.
The sample LDAP directory will allow anonymous searches without additional security measures such as user
and password credentials for accessing the LDAP directory. To simplify LDAP lookups, passwords were stored in
clear format in the LDAP directory. Production systems should encrypt LDAP passwords.
Step 1: Prepare a host with the necessary UNIX or Windows operating system the OS selected must be
supported by OpenLDAP. For the sample installation, Red Hat Linux version 8.0 was used with the latest security
patches.
Step 2: Download, compile, and install OpenLDAP. The source files can be found at www.openldap.org and the
installation guide can be found at the following web site: www.openldap.org/doc/admin/quickstart.html
Step 3: Load the necessary object classes from the schema to populate the LDAP directory with the necessary
objects. For the sample installation, the OpenLDAP person and inetOrgPerson object classes were loaded.
These two object classes supported the basic user account information that will be used to authenticate the client
users.
Step 4: Load any additional management tools to help manage the LDAP directory. GQ version 0.4.0 was
loaded on the sample OpenLDAP server to support a graphical user interface. GQs graphical interface makes
browsing and modifying the LDAP directory much easier.
March 2003
Version 1.0.0
Example Values
cn=john smith,dc=foundry,dc=com
person, inetOrgPerson
smith
john smith
testpassword
408 555-1212
John Smith
john
jsmith@foundry.com
jsmith
Step 6: Test your LDAP server with the GQ client to ensure that the LDAP directory can be browsed, searched,
and modified.
For 802.1X Port Authentication, the two most critical objects are the User ID (uid) and the User Password
(userPassword) parameters. The authentication proxy will compare the username and password entered by
the client against the uid and userPassword parameters in the LDAP directory to authenticate the client.
NOTE: For more information on installing OpenLDAP, please refer to the following web sites:
http://www.openldap.org
http://www.openldap.org/doc/admin/quickstart.html
http://www.openldap.org/doc/
Installing Secure.XS
Interlink Networks Secure.XS version 6.0.3 for Windows was installed on a Windows 2000 Server (with SP3) for
the sample installation. The following steps illustrate a basic installation of Secure.XS and the configuration steps
required to allow Secure.XS to proxy RADIUS authentication requests from the Foundry device to the LDAP
directory.
Depending on the products and versions used for the RADIUS authentication proxy, these steps may or may not
apply. Please check with Interlink Networks for the latest installation guidelines if Secure.XS will be used for your
implementation.
March 2003
Version 1.0.0
Step 3: Start the Secure.XS Server Manager utility and log into the management interface using the default
administrator account (adminaaa) and password (adminaaa). The Server Manager is found under the
Start/Programs/Internlink Networks menu.
The Secure.XS Server Manager screen is displayed
as shown in Figure 3.
On the LDAP Directory screen, enter the following configuration information to setup the LDAP link:
o Directory Name: A unique identifier used to describe the LDAP Directory link. Eg. Foundry
OpenLDAP
o Host: The IP Address of the LDAP server or its DNS Name
o Port: The LDAP port number that is supported by the LDAP server (default LDAP port is 389)
o Administrator & Password: The distinguished name (dn) of the directory administrator and its
password. These two fields are only required if the LDAP directory doesnt support anonymous
searches. For the sample installation, the OpenLDAP directory was setup to allow anonymous
searches.
o Search Base: The dc in the LDAP database to begin searching. Enter the same dc information that
was used to create the LDAP directory. For example dc=foundry,dc=com.
o Filter: Enter the LDAP object parameter that will be used to authenticate against the LDAP directory.
The sample installation will match on the LDAP directorys User ID (uid) field.
o Authentication Type: Set to Search
Select the Save button to create the LDAP directory link.
Select the Create Button to create the new Local Realm.
March 2003
Version 1.0.0
10
March 2003
Version 1.0.0
11
Retrieve-only true
March 2003
Version 1.0.0
12
NOTE: After the changes are made to the authfile and EAP.authfile, any further changes made to the Secure.XS
server and saved to the local configuration files may overwrite the changes manually made in this section. If
changes are made using the Server Manager GUI after this step, please check the contents of the authfile and
EAP.authfile to make sure the correct configuration is set.
NOTE: The LDAP Server must be configured to return the password when the User ID (uid) parameter is
searched. It should also be programmed to return any VLAN information that is stored in the LDAP record. The
base installation of OpenLDAP configured in this sample installation will return the necessary information when
queried.
Configure the Foundry device (Authenticator) to interact with one or more Authentication Server(s)
(RADIUS, RADIUS proxy servers, etc.).
Configure the Foundry device to act as the Authenticator.
Configure the Foundry devices interaction with the Client device (optional step).
Step 1: Configure the Foundry device to use RADIUS for authenticating 802.1X security and define one or more
RADIUS or RADIUS proxy servers.
Syntax: [no] aaa authentication dot1x default <radius | none>
BigIron(config)# aaa authentication dot1x default radius
Configure the device to use one or multiple RADIUS or RADIUS proxy servers. Set the authentication and
accounting port numbers to match the RADIUS servers settings, and specify the secret key to authenticate to
the RADIUS server. The secret key string must be identical to the secret key string used on the RADIUS proxy
server (Secure.XS server).
March 2003
Version 1.0.0
13
To configure 802.1X for individual ports, you can use the enable command with the port number. A range can
also be specified to help make the configuration work faster. Be careful not to add any uplink ports or ports for
critical servers that do not require 802.1X Port Authentication access may be lost to these hosts.
BigIron(config-dot1x)#
BigIron(config-dot1x)#
BigIron(config-dot1x)#
BigIron(config-dot1x)#
BigIron(config-dot1x)#
enable Ethernet
enable Ethernet
enable Ethernet
enable Ethernet
write memory
2/1 to 2/24
3/1 to 3/24
4/1 to 4/10
4/17 to 4/24
Step 3: For all interfaces using 802.1X authentication, enable the control mode to force-authorized, forceunauthorized, or auto. Auto leaves the controlled port in unauthorized mode until the RADIUS server validates
the authentication.
BigIron(config)# interface e 3/1
BigIron(config-if-3/1)# dot1x port-control auto
The switch is now enabled for 802.1X Port Authentication. Make sure the RADIUS server is properly configured
to authenticate each user.
March 2003
Version 1.0.0
14
If the multiple-hosts option is used, the port will allow multiple devices to access the network once the first
802.1X client authenticates successfully. When the authenticated client logs off the network and terminates the
authenticated session, the port will deny access to the remaining hosts. Another client must authenticate
successfully to enable the port for multiple-host access again.
NOTE: For more information on MAC Address Locking and 802.1X authentication, refer to the Foundry Switch
and Router Command Line Interface Reference and the Foundry Security Guide.
March 2003
Version 1.0.0
15
After the installation of the required service packs and/or patches, Windows 2000 clients will be configured with
the necessary files to support 802.1X EAP-MD5 authentication. Windows XP clients include 802.1X natively but
must have SP1 to work with DHCP properly.
Perform the following steps to configure the Windows client for 802.1X EAP-MD5 support:
Step 1: Open the Properties window for your Ethernet network connection. With 802.1X support installed,
you should see the Authentication tab.
March 2003
Version 1.0.0
16
March 2003
Version 1.0.0
17
These commands can also be placed in a batch file and placed onto the desktop to speed the process of renewing
a DHCP address. An example of the batch file commands are:
ipconfig /release
ipconfig /renew
pause
exit
If you need to manually control the Local Area Connection authentication prompt, temporarily disconnect the
network cable from the client for 10 seconds and then reattach it. This will trigger a new EAP-MD5
authentication process and allow the user to enter the authentication credentials again.
AEGIS Windows Client version 2.0.0 from Meetinghouse Data Communications. The AEGIS Windows
Client offers a single sign-on solution. For more information on this client, visit: www.mtghouse.com
AEGIS MAC OS Client version 1.2.1 from Meetinghouse Data Communications. For more information on
this client, visit: www.mtghouse.com
March 2003
Version 1.0.0
18
Foundry uses the following standard RADIUS attributes returned from the LDAP directory to place the port into
the proper VLAN:
Attribute Name
Tunnel-Type
Tunnel-Medium-Type
Tunnel-Private-Group-ID
Type
064
065
081
Value
13 (decimal) VLAN
6 (decimal) 802
<vlan-name> (string) either the name or the number
of a VLAN configured on the Foundry device
If the Tunnel-Type or the Tunnel-Medium-Type attributes in the RADIUS Access-Accept message do not have
the values specified above, the Foundry device will ignore the three Attribute-Value pairs. If the
authentication credentials supplied were valid, the Foundry device authorizes the port, but the port is not
dynamically placed in a VLAN. Otherwise, the client is not authorized.
If the Tunnel-Type or the Tunnel-Medium-Type attributes in the RADIUS Access-Accept message have the
values specified above, but there is no value specified for the Tunnel-Private-Group-ID attribute, the client
will not be authorized.
When the Foundry device receives the value specified for the Tunnel-Private-Group-ID attribute, it checks its
VLANs for a match using both the name and the numeric ID. If there is a match, the port is placed in the
VLAN whose ID corresponds to the VLAN Name or ID. If there is no match, the client is not authorized.
March 2003
Version 1.0.0
19
/etc/openldap/schema
Step 2: Modify the slapd.conf file to include the new RADIUS schema file. The slapd.conf file is located in the
/etc/openldap/ directory. The modified file should include the following new line, include
/etc/openldap/schema/iaaa-radius.schema
EXAMPLE:
include
include
include
include
/etc/openldap/schema/core.schema
/etc/openldap/schema/cosine.schema
/etc/openldap/schema/inetorgperson.schema
/etc/openldap/schema/iaaa-radius.schema
March 2003
Version 1.0.0
20
Every RADIUS server will have a dictionary that it uses to support the attributes and values. Depending on the
RADIUS vendor, the dictionary layout will vary. Using Interlink Networks Secure.XS server, the dictionary file is
located in the \program files\interlinknetworks\aaaserver\raddb directory. This directory tree may be
different if the application was installed in a directory other than the default installation directory.
To confirm that the RADIUS Tunnel Attributes are properly defined in the RADIUS dictionary file, perform the
following steps:
Step 1: Using a text editor such as Wordpad, navigate to the location of the RADIUS dictionary file and open the
dictionary file.
Step 2: Perform a search and locate the words Tunnel-Type, Tunnel-Medium-Type, and Tunnel-PrivateGroup-Id in the dictionary file. Verify that the three RADIUS Tunnel Attributes are defined in the ATTRIBUTE
section of the dictionary as displayed below. Notice the tag-int and tag-str requirements that require our
sample installation to precede each tunnel attribute value with the :1: tag.
ATTRIBUTE
ATTRIBUTE
ATTRIBUTE
ATTRIBUTE
ATTRIBUTE
ATTRIBUTE
#
RFC
ATTRIBUTE
ATTRIBUTE
ATTRIBUTE
ATTRIBUTE
ATTRIBUTE
March 2003
Version 1.0.0
Login-LAT-Port
63
string
(1, 0,
Tunnel-Type
64
tag-int
(*, 0,
Tunnel-Medium-Type
65
tag-int
(*, 0,
Tunnel-Client-Endpoint 66
tag-str
(*, 0,
:
:
:
:
:
:
Configuration-Token
78
string
(0, 0,
EAP-Message
79
string
(*, *,
2869 RADIUS Extensions -- Signature is deprecated
Message-Authenticator
80
string
(1, 1,
Signature
80
string
(1, 1,
Tunnel-Private-Group-Id 81
tag-str
(*, 0,
Tunnel-Assignment-Id
82
tag-str
(*, 0,
Tunnel-Preference 83
tag-int
(*, 0, 0)
0)
0)
0)
0)
0)
*)
1, NOLOG)
1)
0)
0)
21
String Value
VLAN
IEEE-802
Decimal Value
13
6
The String Value specified in the dictionary file must match the object class attributes for the aaaReply object
used for each users LDAP record.
EXAMPLE:
VALUE
VALUE
VALUE
VALUE
VALUE
VALUE
VALUE
VALUE
VALUE
VALUE
VALUE
VALUE
VALUE
#
Tunnel-Type
Tunnel-Type
Tunnel-Type
Tunnel-Type
Tunnel-Type
Tunnel-Type
Tunnel-Type
Tunnel-Type
Tunnel-Type
Tunnel-Type
Tunnel-Type
Tunnel-Type
Tunnel-Type
PPTP
L2F
L2TP
ATMP
VTP
AH
IP-IP-Encap
MIN-IP-IP
ESP
GRE
DVS
IP-IP
VLAN
1
2
3
4
5
6
7
8
9
10
11
12
13
VALUE
VALUE
VALUE
VALUE
VALUE
VALUE
VALUE
VALUE
VALUE
VALUE
VALUE
VALUE
VALUE
VALUE
VALUE
Tunnel-Medium-Type
Tunnel-Medium-Type
Tunnel-Medium-Type
Tunnel-Medium-Type
Tunnel-Medium-Type
Tunnel-Medium-Type
Tunnel-Medium-Type
Tunnel-Medium-Type
Tunnel-Medium-Type
Tunnel-Medium-Type
Tunnel-Medium-Type
Tunnel-Medium-Type
Tunnel-Medium-Type
Tunnel-Medium-Type
Tunnel-Medium-Type
IPv4
IPv6
NSAP
HDLC
BBN-1822
IEEE-802
E-163
E-164
F-69
X-121
IPX
Appletalk
DecnetIV
Banyan-Vines
E-164-NSAP
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
Step 4: Save the dictionary file in text format without the .txt extension.
March 2003
Version 1.0.0
22
March 2003
Version 1.0.0
23
Step 3. Once the client is authenticated, check the Foundry device to make sure the clients port is added to
the proper Port-Based VLAN. Use the following CLI commands on the Foundry device to validate the VLAN
assignment:
Syntax: show run
Displays detailed port information showing the original Layer 2 VLAN the
port belonged to before the dynamic assignment and the VLAN
membership after the dynamic assignment.
March 2003
Version 1.0.0
24
NOTE: For more information on Foundrys 802.1X Dynamic VLAN Assignment feature and new status messages,
refer to the 07.6.03 Foundry Switch and Router Command Line Interface Reference and Release Notes.
March 2003
Version 1.0.0
25
March 2003
Version 1.0.0
26